RE: [fw-wiz] VPN concentrators

From: Patrick Darden (darden@armc.org)
Date: 08/27/02 

From: Patrick Darden <darden@armc.org>
To: scouser@paradise.net.nz
Date: Tue Aug 27 09:29:01 2002

Well, if it is remote pc---->network connections, then you can control the
end user's security pretty securely. Simply have a remote network access
policy that states a minimum security allowance, and have your vpn client
check for these before allowing a tunnel. Something like: Norton Internet
Security with an update within the last 7 days; or black ice plus
kaspersky; etc. If your client can't check for these things, then you
could write a wrapper to check for them on the hard drive easily enough,
or check the registry to see if they are installed and "on". 

--
--Patrick Darden                Internetworking Manager             
--                              706.475.3312    darden@armc.org
--                              Athens Regional Medical Center
On Tue, 27 Aug 2002 scouser@paradise.net.nz wrote:
> OK some but not all answers
> It is for remote users, so it would be Client to Device (initially :P)
> So users would be employees. (totally untrsutworthy :P)
> Client software would probably depend on Device as a number of beneficial
> features can be used if you match the client to the device (personal firewalls,
> autmated upgrading of clients etc...)
> users would be about 250 initially but up to 4000 potentially in the future.
> availability would be an issue but this would be dealt with by the architecture
> design and would not be dependant on the solution.
> Management I would presume would depend on the device, ie LSMS for a brick etc...
> Central managament is an important issue however.
> 
> 
> Not sure what you mean by access control? Do you mean to internal resources? If
> VPN traffic could be split inot different network pools then internal NIDS, and
> ACLs could manage this (along with obvious host/resource access controls)
> 
> What are tehses mysterious "IPSEC issues" that we are all aware of ( or perhaps
> not in my case) ??
> 
> 
> James
> 
> Quoting Ofir Arkin <ofir@sys-security.com>:
> 
> > All,
> > 
> > No one even looked at a number of other critical questions:
> > 
> > - Is this a Device to Device VPN?
> > - Is this a Client to Device VPN?
> > - Both?
> > - What information needs to go through that VPN?
> > - Who uses the VPN? Trusted entity? Your grand mother?
> > - What is that trusted entity's security?
> > - Can we trust it? (of course not)
> > - What is the client software used (shame on you all not mentioning
> > that
> > :P) 
> > - IPSEC - there are a number of issues here to remind you all.
> > - Management
> > - Access Controls
> > - Number of users using the VPN
> > - Availability issues 
> > - Etc.
> > 
> > People should look at the bigger picture and not at the box. 
> > The bigger pictures than will tell us what boxes you can, or cannot
> > use.
> > 
> > By the way - a VPN is not a firewall...
> > The encrypted traffic hitting the VPN must be validated after
> > decryption
> > is performed... This is the reason why, sometimes, a VPN+Firewall in
> > one
> > box (e.g. checkpoint) will be a good solution, or a
> > firewall-VPN-firewall "sandwich" will be also used.
> >  
> > 
> > Just my 2c.
> > 
> > Ofir Arkin [ofir@sys-security.com]
> > Founder
> > The Sys-Security Group
> > http://www.sys-security.com
> > PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA 
> > 
> > -----Original Message-----
> > From: firewall-wizards-admin@honor.icsalabs.com
> > [mailto:firewall-wizards-admi n@honor.icsalabs.com] On Behalf Of
> > Patrick
> > Darden
> > Sent: 26 August 2002 15:52
> > To: Dave Piscitello
> > Cc: scouser@paradise.net.nz; firewall-wizards@honor.icsalabs.com
> > Subject: Re: [fw-wiz] VPN concentrators
> > 
> > 
> > Actually, what you describe is only slightly different from what I
> > describe. I can't really think of any differences, except that yours
> > may
> > cost less but possibly provide less performance....
> > 
> > --
> > --Patrick Darden Internetworking Manager 
> > -- 706.475.3312 darden@armc.org
> > -- Athens Regional Medical Center
> > 
> > 
> > On Mon, 26 Aug 2002, Dave Piscitello wrote:
> > 
> > > Goes to show you that "best thinking" is subjective.
> > > 
> > > Firewall appliances with crypto acceleration for IPsec and an
> > optional/DMZ 
> > > port satisfy most site requirements without all the extra hardware, 
> > > addressing/subnetting, and routing issues (how you return IPsec
> > traffic 
> > > when you have FW and VPN appliance in parallel isn't a simple
> > "default
> > 
> > > gateway is the firewall" config on the internal network). You also
> > don't 
> > > have to manage policy across multiple systems with multiple UIs, and
> > you 
> > > don't have to deal with multiple sources of logging and reporting of
> > policy 
> > > violations.
> > > 
> > > I'm happy with this arrangement.
> > > 
> > > At 08:39 AM 8/26/2002 -0400, Patrick Darden wrote:
> > > >Here is the current best thinking, to my knowledge:
> > > >
> > > > ds3 to internet
> > > > |
> > > > |
> > > >---------------
> > > >Bastion Router|
> > > >---------------
> > > > | |
> > > > | \
> > > >firewall \
> > > > | vpn engine
> > > > | |
> > > >==================
> > > >internal network |
> > > >==================
> > > 
> > > 
> > > David M. Piscitello
> > > Core Competence, Inc. &
> > > 3 Myrtle Bank Lane
> > > Hilton Head, SC 29926
> > > dave@corecom.com
> > > 843.689.5595
> > > www.corecom.com
> > > 
> > > 
> > > 
> > > _______________________________________________
> > > firewall-wizards mailing list
> > > firewall-wizards@honor.icsalabs.com
> > > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
> > > 
> > 
> > _______________________________________________
> > firewall-wizards mailing list
> > firewall-wizards@honor.icsalabs.com
> > http://honor.icsalabs.com/mai lman/listinfo/firewall-wizards
> > 
> > 
> > ____________________________________ ___________
> > firewall-wizards mailing list
> > firewall-wizards@honor.icsalabs.com
> > http://honor.icsalabs.com/mai lman/listinfo/firewall-wizards
> >  
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>

Relevant Pages

  • Re: why microsoft choose mfc rather than wtl?
    ... to lower security settings, etc. ... For a client to get ... the particular AX control is never accessed, shown, or downloaded. ... unethical to deliver an automobile to customers because it is possible ...
    (microsoft.public.vc.mfc)
  • Re: Secured Linux box for Windows access
    ... On the client side, I can automatically remove temp files, harden up ... > struggling with the Linux side and its configuration. ... it is possible to use a VPN to secure your shares as tehy go ... distribution-specific guides to security. ...
    (Security-Basics)
  • RE: Secure remote access for users
    ... security it with RSA's SecurID at the most and an SSL cert at the VERY ... Cisco VPN Client 3.6x for the client software with like ... Network Engineer / Owner ...
    (Security-Basics)
  • Re: RDP Security - Preventing clients from mapping drives
    ... There is no way of controlling it on the client. ... Your Terminal Services Security Website ... Server (outside of our corporate control) in order to run a medical ...
    (microsoft.public.windows.terminal_services)
  • TidBITS#792/15-Aug-05
    ... We also note the release of Security Update 2005-007, ... Macintosh FTP client, free for educational and charitable use. ... mentioned virtual private network (VPN) technologies. ...
    (comp.sys.mac.digest)